New Security Update addresses "safe file" issue...

[ElDiabloConCaca]

Get it while it's hot in Software Update (or download it manually, but what fun is that?).

http://docs.info.apple.com/article.html?artnum=303382

Now all those people bitching about how insecure Mac OS X is can shut their mouths. Those "proofs of concept" existed for what -- barely a week? -- and now Apple has patched it.

Dearest Crackers: next time be a little more creative with your exploits. Copying and pasting a JPEG icon on a UNIX executable has got to be the most juvenile attempt at an exploitation. Why don't y'all learn to REALLY write code instead of being crappy little script kiddies?

Go spread FUD somewhere else and just let us Mac users enjoy our Macs.

[Satcomer]

Does it really help with the shell scripts from a browser?

[fryke]

ElDiablo: It wasn't the script kiddies who did that JPEG thing. It was a demo to show how _easily_ one could trick a user into double-clicking a file he or she doesn't know. Most Mac users have _no_ idea about these things, mainly because there never _were_ any real security threats on Mac OS X. And as such a demo, cloaking the file as a JPG was the right thing to do in my opinion.

There's no need to gloat now, either, I think. Sure: These holes have been filled. (Have they? Or will heise.de release a news blurb tomorrow about how this only fixes half of it?) But the past few weeks have clearly shown that if there _is_ enough energy in the world of script-kiddies etc., the Mac platform _could_ be targetted from time to time. And I think the more we gloat, the more envious people might become and start doing _just_ what you urged them to: To attack us with the real stuff. And we _don't_ want that. In my opinion.

[ElDiabloConCaca]

Did y'all even read the link?

Quote:

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).

[fryke]

Erh... Yes?

[scruffy]

Have a look over the full description of the security update. Look at the CVE numbers - notice how many of them are from 2005? Throw the CVE ID into google, and you can find out more.

Just for example, the PHP vulnerabilities are from October to November 2005. That's a 3-4 month window of vulnerability. Every other OS vendor out there had patches out in a matter of days, but Apple took months. That is just plain unacceptable.

[JetwingX]

iChat. A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.

[easterhay]

Switcher question here: Isn't the solution just for me to disable the "Open `safe' files after downloading" option in my prefs? That's what I've done, anyway.
And I agree with Fryke - it's one thing to taunt your Windozer mates down the pub about all the malware they keep getting clobbered with, another altogether to lay down the gauntlet to the script-bunnies. I for one am still luxuriating in the newfound security and peace of OsX. I'd prefer to carry on a while longer if possible.